DoorFlow API Security Philosophy

Once a Door Opens, History Can't Be Rewritten

Physical access control requires the highest form of security. Unlike digital access, once physical access is granted, its consequences cannot be undone. Our API access meets the highest security standards—akin to FAPI (Financial Grade API) and OpenBanking—with explicit user consent, auditability, and the ability to revoke access at any time.

As developers ourselves, we understand you're likely building alongside countless other integrations—from email providers to merchant systems. Physical access will likely be the most security-conscious integration you'll ever implement, and that's for good reason. We use standards like OAuth to make integration as straightforward as possible, but we're unapologetically security-forward. It's our job to facilitate easy integration while never compromising on the security of our account holders' data.

1. Security Doesn't Scale Down - One Standard Protects All

Security controls are uniformly enforced across all tenants and applications, regardless of scale or perceived risk. There is no "basic" or "relaxed" security tier. Whether it's an enterprise application serving hundreds of tenants or a single-tenant custom application, the same strict security standards apply.

2. Zero Trust: Trust Is Earned With Every Request, Never Assumed

All external applications are treated as third-party applications and are not assumed to be confidential. In line with NIST Zero Trust principles, we maintain no concept of perimeter security. No client secret is assumed to be kept secure by default.

3. Account Owner Permission Required - Always Ask, Never Assume

We operate on a multi-tenant model where all applications require explicit consent for access to any DoorFlow account. No client is considered the resource owner for any DoorFlow account. Access to all resources must be authorized by the account owner and scoped accordingly. When a client application is granted access, DoorFlow creates a dedicated service user to serve as the resource owner for access tokens.

4. Clients Have No Resources

All API requests are made within the context of a user, ensuring complete traceability and accountability for every operation within the system.

5. Short-Lived Keys With Long-Term Protection

The Authorization Code and Refresh Token flow are the most secure OAuth grant types for third-party public client applications. They enforce short-lived tokens, require explicit user consent, and support least-privileged scopes.

6. Security That Stays Ahead Of The Curve

Security is evolving and we'll evolve with best practices. Security is never "one and done." We continuously introduce the latest security features to ensure we meet security best practices now and into the future.

7. Customer Authorization - Our Commandment

Our DoorFlow account holders data is never accessible unless they explicitly allow it. We honor their authorization decisions as the absolute law governing our system's behavior. We will never give their data to an application without an account owner user giving explicit consent.

8. Industry-Standard Authentication - OAuth 2.0 Today, 2.1 Tomorrow

We've built our security foundation on OAuth 2.0, the industry-standard protocol for authorization. This means you can leverage well-established, battle-tested libraries in virtually any programming language rather than learning proprietary systems. Our roadmap includes OAuth 2.1 adoption, incorporating the latest security enhancements while maintaining backward compatibility. By embracing these standards, we provide both security and developer efficiency.